Finally, a country’s citizens get to have their say on mass surveillance

WELCOME to Connected Rights, your shot in the dark of digital rights news and analysis.

THE DUTCH PEOPLE ARE GOING TO GET A MASS SURVEILLANCE REFERENDUM, probably next March. The country has a law that says if people can gather 300,000 valid signatures calling for a poll on an issue, they get their referendum. And that’s what happened here: http://zd.net/2j9CDHH

The catch is, the result of the referendum will only be advisory, and the leader of the Christian Democratic Appeal (CDA) party, which controls the Dutch justice ministry, has already says he intends to ignore the result.

The law in question is analogous to the UK’s post-Snowden Investigatory Powers Act, a.k.a. the Snooper’s Charter. This one is called the Intelligence and Security Agencies Act, a.k.a. the Sleepwet (it sounds better with Dutch pronunciation) or “dragnet law”. It allows the authorities to engage in mass surveillance of the country’s internet infrastructure, and to hack the heck out of the phones and computers of not only crime suspects, but also the people that they know.

Those fighting the law, which was passed back in July, don’t want to kill it entirely – they just want those powers made more targeted. And they’re realistic about the outcome. As Nina Boelsums, one of the pushback’s organisers, told me, the debate might at least convince other parties in the ruling coalition to amend the law to some degree, even if the CDA sticks its fingers in its ears and hums loudly.

“We also think it’s very important that the privacy discussion is revived after the Snowden leaks, because everybody has kind of forgotten about it,” she said.

THE EUROPEAN COURT OF HUMAN RIGHTS HELD A HEARING about the UK’s mass surveillance on Tuesday, taking testimony from a host of civil rights groups who suspect they have been spied upon, or who simply want the surveillance to stop: http://bit.ly/2zmhrEy

This was actually three cases rolled into one, with complainants including Big Brother Watch and the Bureau of Investigative Journalism (one case each), and Amnesty International, Liberty, Privacy International, the American Civil Liberties Union, South Africa’s Legal Resources Centre, and others (in one combined case).

Their suits follow the revelations of Edward Snowden about the bulk interception programs of the UK’s GCHQ spy agency and its partner, the NSA. When the ECtHR issues its ruling, it will probably have direct implications not only for the UK’s Investigatory Powers Act, but for countries around the world whose citizens find their information sucked through the UK’s filters.

“We work with whistleblowers, victims, lawyers, journalists and campaigners around the world, so confidentiality and protection of our sources is vital,” said Liberty director Martha Spurrier. “The UK government’s vast, cross-border mass surveillance regime – which lets it access millions of people’s communications every day – has made those protections meaningless.”

Want to support this newsletter? If so, thanks so much! Here’s my Patreon page. Many thanks to those who are already contributing.

THOSE WHO WORRY ABOUT THE INTERNATIONAL REPERCUSSIONS of the EU’s “right to be forgotten” – and I’m one of them – need to remember that there’s an analogous case going on in North America, regarding Google and a company called Equustek.

In Europe, the issue is whether Google has to take down out-of-date links about people just within the EU (as Google does) or across the world (as the French privacy regulator CNIL demands). That case is heading to the Court of Justice of the European Union. The Equustek case has been playing out in Canada, where the Supreme Court ruled that Google has to expunge links to websites that infringe on a company’s intellectual property rights – again, around the world.

Last week, a U.S. federal court issued a preliminary injunction blocking application of the Canadian court’s order in the U.S. Google will probably now move to get a permanent injunction. And, as Michael Geist notes, this is exactly the problem with countries trying to enforce their own laws on other countries, on the basis that an online service provider spans borders: http://bit.ly/2zi1oFr

THE UK’s PRIVACY REGULATOR HAS FINED a data broker called Verso Group for trading in people’s personal information without telling those people what it was doing with their data: http://bit.ly/2ApVsdR

The ICO’s fine was only £80,000, but remember that the General Data Protection Regulation (GDPR) is not yet in effect. When it is, fines will of course be as much as €20 million in particularly egregious cases. And this was a pretty bad case – Verso was gathering people’s data by having overseas call centres ring them up to conduct “surveys”, then selling the data to companies engaging in direct marketing.

Here’s a very good quote from ICO deputy commissioner James Dipple-Johnstone: “Businesses need to understand they don’t own personal data – people do and those people have the right to know what is happening to it and who is likely to be contacting them for marketing.”

A lot of businesses do indeed think that they own the personal data that they hold. After all, that’s essentially the approach taken in the US. It’s not the European approach, though, and companies are going to get in serious trouble from May next year, when the GDPR comes down like a ton of bricks, if they don’t change their attitudes.

FACEBOOK IS ASKING SOME PEOPLE FOR THEIR NUDE PICTURES in Australia – and the reason is totally legit. The company is actually trying to counteract the phenomenon of “revenge porn”, where people upload nude pictures of their exes without their consent: http://ab.co/2hlG0e9

Facebook’s trial solution works like this: those who are worried that they may become revenge porn victims can (if they themselves possess the photos, of course) upload them to a special Facebook/Instagram/Messenger repository where the photos will be “hashed” – a digital fingerprint of that shot will be made and then stored. And when people subsequently upload photos to those platforms, those pictures will also be hashed, and the hashes will be compared to see if it’s the same shot.

Because of that, Facebook doesn’t have to store the pictures themselves, although it says it will do so for a short while during the pilot scheme, in order to make sure that the system works.

If you’d like me to write articles for you about digital rights issues, speak at your event or provide privacy advice for your business, drop me an email at david@dmeyer.eu.

DIGITAL IDENTITY TOOLS ARE ALL GOOD AND FINE as long as their security is rock-solid. In Estonia, the land of forward-thinking digital citizenship, it turns out that hundreds of thousands of ID cards – used for voting and filing taxes and signing documents – have a critical flaw: http://bit.ly/2zi1qj8

The Estonian authorities have had to suspend a whopping 760,000 ID cards, despite swearing blind that the cost of exploiting the flaws would obviate “large-scale vote fraud”. That may be, but security researchers now believe that attackers might be able to crack someone’s digital identity for as little as $2,000, which is cheap enough, depending on the reason for doing so.

A IRANIAN WOMAN FORCED A PLANE TO MAKE AN EMERGENCY LANDING after discovering, mid-flight, that her husband was cheating on her. In the phrasing of The Indian Express, she “lost calm and refused to be pacified”, so the crew of the Doha-Bali flight had to make an unscheduled stop in Chennai.

How did she make this discovery in the air? Her husband was sleeping and she used his thumb to unlock his phone. Yet another lesson in the dangers of biometrics as opposed to good old-fashioned passphrases (not that biometrics don’t have their advantages): http://bit.ly/2Ai2joT

SPEAKING OF BIOMETRICS, IS IT BAD that Apple is letting third-party app developers access the three-dimensional facial data generated by the special depth-sensing camera in the iPhone X? Staunch Apple defender John Gruber says not: http://bit.ly/2j8n4A2

His argument goes like this: Apple doesn’t let third parties access the “mathematical representation” of people’s faces that is stored in a special chipset in each device – in other words, it’s still not possible for someone else to steal the information they would need to log into someone’s iPhone. This is essentially just a better camera that enables new uses, and Apple is giving the same access to it that it gives to older phones’ cameras.

I find this argument quite persuasive, although at the same time I do think it worrying that a third-party developer could gain such detailed information about people’s faces, which could end up feeding into some database that in turn feeds into a facial-recognition surveillance database. But hey, I’m the kind of guy who puts tape over my laptop’s webcam. I suppose that as long as no-one’s being duped into giving up more information that they realise, this is OK… for some.

About the author

I’m David Meyer, a tech journalist with more than a decade’s experience writing about technology. I’ve covered many topics in that time, though I’m most interested in the policy decisions and technological breakthroughs that will shape our world. You can find me on Twitter as @superglaze and on Facebook as @davidmeyerwrites.